How Digital Photos Reveal Who Took Them

There's no such thing as anonymity on the Internet. Google recently said that its Gmail users "ha[ve] no legitimate expectation of privacy." Encrypted email providers Lavabit and Silent Circle recently shut down after an undisclosed legal battle with the United States government. And that's to say nothing of PRISM and XKeyScore, two programs developed by the U.S. National Security Agency that take in millions of emails, forum posts, telephone calls and metadata every day.

But did you know that even your photos and videos can be traced to the individual digital camera that took them, just like a bullet can be traced to the gun that fired it or a fingerprint to the hand that created it?

So says Nasir Memon, a professor of computer science and cybersecurity at New York University Polytechnic Institute. Memon has developed a program that can obscure the so-called "fingerprint" hidden in each digital photo, as well another program that indexes the fingerprints of publically available photographs to help investigators find a match.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

A digital image is actually a matrix, or grid, of numbers, where each number indicates the color on the corresponding section of the photographed scene.

A 2 megapixel camera, for example, takes images whose grids consist of 2 million squares. Each pixel is created by its own tiny sensor within the camera that captures light from a specific point in the scene. The camera then converts that light into an electrical charge that corresponds to a color value.

But this conversion process is never perfect: impurities in the sensors' silicon wafers create distinctive patterns in each image, invisible to the human eye, which connect photos and videos to the camera that took them.

These patterns are called "photo response non-uniformity noise," or sometimes simply "fingerprints," and they're increasingly used in investigations to identify culprits.

For example, a detective trying to find the source of a digital photo could confiscate a suspect's cameras and use them to take pictures of a blank wall or other neutral subject. Then the detective could compare the noise pattern of the original photo with that of the photos taken with the suspect's devices.

The program needed to identify a photo's noise pattern is relatively easy to write, Memon said, adding "my students do it all the time."

Noise pattern detection may be easy, if you know what you're doing, but removing that noise is very difficult. "You can take the picture and compress it and email it, photoshop it, [but]…the noise remains," Memon said. "After some point it starts becoming more difficult to detect but up to medium to low qualities it remains."

Experts have known about digital photos' distinctive noise for years, and many have developed ways to mask it, but others have always come back with ways to find traces of the fingerprint again.

But last year Memon helped develop a new method of disguising photos' distinct noise via a process called "seam-carving based anonymization."

Seam-carving is a type of geometric distortion in which the person wishing to anonymize a picture would remove certain rows or columns of pixels from the image. This misaligns the grid and makes it difficult to match the altered image's new noise pattern with that of other photos from the same camera.

"You have to remove [the rows and columns] in a very clever way such that it doesn't affect the quality of the image," Memon said.

MORE: Can You Hide Anything from the NSA?

"For any forensics technique there's always an anti-forensics [technique], and how good that anti-forensics could be must be mathematically characterized," Memon explained, adding that according to their calculations, seam-carving is highly secure.

Currently, Memon said, investigators need the camera in question to confirm a match. However, Memon and other cybersecurity experts recently developed an algorithm for indexing and efficiently searching all the images publicly available on photo management sites like Facebook, Flickr and Instagram.

Implementing a program that uses this algorithm would be a huge undertaking, Memon added. "You'd need massive server power to [index] hundreds of millions of pictures. These pictures are huge, and these noise patterns are even bigger than the pictures and…cannot be compressed [in storage]."

On its own, such a program wouldn't be able to access private pictures, though if the group implementing the program had a way of accessing private images, the program would then be able to index them as well.

Memon and his co-researchers recently acquired a patent for the algorithm and have been approached by several government agencies interested in implementing it, Memon said.

Email or follow her @JillScharr. Follow us @tomsguide, on Facebook and on Google+.

·         XkeyScore: How the NSA Can See Everything You Do Online

·         10 Ways the Government Watches You

·         14 Apps for Playing with Photos


Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.